Cisco Firepower Management Centers (FMCs) are expensive! Which one should you get?

In all my travels, I go to a whole heck of lot of customers with various Firepower gear and different FMC’s. What I have found is that most of my customers have either been oversold or undersold on the processing/storage/memory for their hardware FMC. To the sales persons defense, finding the right FMC for a large network isn’t that easy, so if they can they just sell the top most expensive 4500 (it’s the largest/fastest Cisco has and they’ll be good)! Yea, until the customer realizes they were oversold, or they find out (when someone finally configures FTD correctly), that they were sorely undersold!

The Cisco 1000, 2500 and 4500 all look about the same:

So why I am stopping my day to write this blog post? Because I have been to a lot of large schools and fortune 50 companies with FTD 4150/9300’s, which are some very powerful NGFW devices, and just in the last month, I’ve consulted in both Nevada and Ohio working at large school districts. Each of these had more internal groups with admins in each location responsible for hundreds of thousands of students, with each department having multiple 9300’s to manage. Yet somehow one of these admin groups was sold a FMC 2000, well at the same time the others were sold 2500’s and 4500’s with no rhyme or rhythm why or how each received what they did. This, unfortunately, is a common occurrence.

So, as we were working on the policies, configuration, and most importantly, the network analysis, we watched the FMC 2000 basically choke and die while the FMC 4500 just kept moving along with basically the same configurations/devices. To get the FMC 2000 working at all, we had to disable almost all logging (send to syslog/splunk). To say this admin and his boss were upset they were undersold the 2000 instead of a FMC 2500 at a minimum is an understatement, and they justly should be upset as Cisco doesn’t want to replace it for them at no cost. Is this a problem? Yes. do I see this all the time? Yes. Was the FMC 2000 EOL when sold. Yes!

So how do you get the right FMC on a budget? (Cisco Firepower and budget are mutually exclusive!). Well, you need to test it in production to find out, just like my customer did in Ohio with the FMC 2000…yikes! However, hopefully this small bullet pointed list will help you make sure you’re getting the right FMC for your network.

**BUT First, before we go on, are you even sure you bought the correct FTD’s? Well, this FMC blog will be long enough as it is, so I’ll just add a new blog post for you on how to find the FTD that’s right for you! Here it is ..and the post is much shorter, and picking an FTD is much easier than picking a FMC!

Couple quick thoughts:

Max sensor are just that, and with my experiences, cutting Cisco’s listed number of supported devices in half is a good rule of thumb (but this will vary on FTD types and number of users, bandwidth and more).

The EPS/FPS is the Events per second/Flow per second the FMC can handle and all-so-important! (discussed at the end of this post in order to make this even longer!)

Virtual FMC

This is a very, very useful FMC and I have at least 20 of these spun up in my lab at any time. Cheap and easy, and you can enable the eval license for up to a year if you want to do labing (and class!). You can only have up to 25 devices, but I wouldn’t put in more than 8 pairs total in production with lower end FTD devices such as 5506/8/16’s. Once you go up to the 5525/45/55/2100, then I’d bring down the amount of devices you’re using, or upgrade to a hardware FMC. If your at FTD 4100/9300’s, just skip this section on the vFMC as it’s not for your production network at all.

So how do you find the maximum number of Connection Events you can store on your FMC? That’s a great question! Doesn’t seem to written down anywhere, so here is how you find out. Go to System>Configuration>Database

The default on ALL FMC’s is 1,000,000…a ridiculous small amount, and if you don’t know about this setting, you won’t even know it’s low. So, set the Maximum connection to just over a billion like so: 1,000,000,001. Click save and the system will now provide the maximum for your FMC. You can see in this screen shot, the vFMC is now at 50Million total.

What about the other settings? Although you can change the amount of IPS events stored as shown in my details of each FMC listed below, I wouldn’t change much of anything else. Be careful here. The only setting you can really safely change is the most important one: Maximum Connection Events, which is the logging of your ACP rules.

4500

With a whopping list price of $116,804.98 you’ll really need to be a school or non-profit to afford these…and just to remind you, and make it even more real, remember that you’ll need two for HA!! (Cisco’s rep puts pinky to cheek and laughs like Austin Powers well telling you this)…

The 4150/55’s and 9300 FTD devices are the best NGFW in the industry and they can send some data! 4500’s are your only option today.

EPS/FPS

This is an all so important (I’ll keep it short) to understand subject because even with a 4500, it’s possible to overload that.

I had a customer in D.C. that had two-hundred 4150’s in 100 pairs….yes, and they paid $100 Million dollars too! Wowza! Anyway, their 4150’s sent way more data than their 4500 FMC HA pair could handle as you can imagine! Looking at the 4500 bullet points above, you can see the small amount of events this device can receive, although in reality 20k EPS is a lot!

Just like the solution on the FMC 2000 used in the above text, we offloaded ALL events to Splunk to solve this issue.

Now you can just imagine the Splunk salesman with his pinky to his cheek, can’t you? I think they all have their pinkly glued to their faces now that I think about it…

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Hi,

since we Norwegians are a quiet people - I send you an email. 🙂

So far, this firepower class has been fantastic! Especially I like the labs, the troubleshooting and customer examples.

Really one of the best classes that I have attended and online classes works perfect! Looking forward to the last two days.

Best,

Kristian

1.0

2018-01-27T09:40:48-06:00

Hi, since we Norwegians are a quiet people - I send you an email. 🙂 So far, this firepower class has been fantastic! Especially I like the labs, the troubleshooting and customer examples. Really one of the best classes that I have attended and online classes works perfect! Looking forward to the last two days. Best, Kristian